MAC spoofing

Last updated

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed. However, many drivers allow the MAC address to be changed. Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason. [1]

Contents

Motivation

Changing the assigned MAC address may allow the user to bypass access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another network device. It may also allow the user to bypass MAC address blacklisting to regain access to a Wi-Fi network. However, MAC spoofing does not work when trying to bypass parental controls if automatic MAC filtering is turned on. MAC spoofing is done for legitimate and illicit purposes alike. [2]

New hardware for existing Internet Service Providers (ISP)

Many ISPs register the client's MAC address for service and billing services. [3] Since MAC addresses are unique and hard-coded on network interface controller (NIC) cards, [1] when the client wants to connect a new device or change an existing one, the ISP will detect different MAC addresses and might not grant Internet access to those new devices. This can be circumvented easily by MAC spoofing, with the client only needing to spoof the new device's MAC address so it appears to be the MAC address that was registered by the ISP. [3] In this case, the client spoofs their MAC address to gain Internet access from multiple devices. While this is generally a legitimate case, MAC spoofing of new devices can be considered illegal if the ISP's user agreement prevents the user from connecting more than one device to their service. Moreover, the client is not the only person who can spoof their MAC address to gain access to the ISP. Computer crackers can gain unauthorized access to the ISP via the same technique. This allows them to gain access to unauthorized services, while being difficult to identify and track as they are using the client's identity. This action is considered an illegitimate and illegal use of MAC spoofing. [4]

This also applies to customer-premises equipment, such as cable and DSL modems. If leased to the customer on a monthly basis, the equipment has a hard-coded MAC address known to the provider's distribution networks, allowing service to be established as long as the customer is not in billing arrears. In cases where the provider allows customers to provide their own equipment (and thus avoid the monthly leasing fee on their bill), the provider sometimes requires that the customer provide the MAC address of their equipment before service is established.

Fulfilling software requirements

Some software can only be installed and run on systems with pre-defined MAC addresses as stated in the software end-user license agreement, and users have to comply with this requirement in order to gain access to the software. If the user has to install different hardware due to malfunction of the original device or if there is a problem with the user's NIC card, then the software will not recognize the new hardware. However, this problem can be solved using MAC spoofing. The user has to spoof the new MAC address so that it appears to be the address that was in use when the software was registered.[ citation needed ] Legal issues might arise if the software is run on multiple devices at once by using MAC spoofing. At the same time, the user can access software for which they have not secured a license. Contacting the software vendor might be the safest route to take if there is a hardware problem preventing access to the software.

Some softwares may also perform MAC filtering in an attempt to ensure unauthorized users cannot gain access to certain networks which would otherwise be freely accessible with the software. Such cases can be considered illegitimate or illegal activity and legal action may be taken. [5]

Identity masking

If a user chooses to spoof their MAC address in order to protect their privacy,[ citation needed ] this is called identity masking. As an example motivation, on Wi-Fi network connections a MAC address is not encrypted. Even the secure IEEE 802.11i-2004 (WPA) encryption method does not prevent Wi-Fi networks from sending out MAC addresses.[ citation needed ] Hence, in order to avoid being tracked, the user might choose to spoof the device's MAC address. However, computer crackers use the same technique to bypass access control methods such as MAC filtering, without revealing their identity. MAC filtering prevents access to a network if the MAC address of the device attempting to connect does not match any addresses marked as allowed, which is used by some networks. Computer crackers can use MAC spoofing to gain access to networks utilising MAC filtering if any of the allowed MAC addresses are known to them, possibly with the intent of causing damage, while appearing to be one of the legitimate users of the network. As a result, the real offender may go undetected by law enforcement.[ citation needed ]

MAC Address Randomization in WiFi

To prevent third parties from using MAC addresses to track devices, Android, Linux, iOS, macOS, and Windows [6] have implemented MAC address randomization. In June 2014, Apple announced that future versions of iOS would randomize MAC addresses for all WiFi connections. The Linux kernel has supported MAC address randomization during network scans since March 2015, [7] but drivers need to be updated to use this feature. [8] Windows has supported it since the release of Windows 10 [6] in July 2015.

Controversy

Although MAC address spoofing is not illegal, its practice has caused controversy in some cases. In the 2012 indictment against Aaron Swartz, an Internet hacktivist who was accused of illegally accessing files from the JSTOR digital library, prosecutors claimed that because he had spoofed his MAC address, this showed purposeful intent to commit criminal acts. [5] In June 2014, Apple announced that future versions of their iOS platform would randomize MAC addresses for all WiFi connections, making it more difficult for internet service providers to track user activities and identities, which resurrected moral and legal arguments surrounding the practice of MAC spoofing among several blogs and newspapers. [9]

Limitations

MAC address spoofing is limited to the local broadcast domain. Unlike IP address spoofing, where senders spoof their IP address in order to cause the receiver to send the response elsewhere, in MAC address spoofing the response is usually received by the spoofing party if MAC filtering is not turned on making the spoofer able to impersonate a new device.

See also

Related Research Articles

An Internet filter is software that restricts or controls the content an Internet user is capable to access, especially when utilized to restrict material delivered over the Internet via the Web, Email, or other means. Content-control software determines what content will be available or be blocked.

A MAC address is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) network model, MAC addresses are used in the medium access control protocol sublayer of the data link layer. As typically represented, MAC addresses are recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or without a separator.

<span class="mw-page-title-main">Wake-on-LAN</span> Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

<span class="mw-page-title-main">Wardriving</span> Search for wireless networks with mobile computing equipment

Wardriving is the act of searching for Wi-Fi wireless networks as well as cell towers, usually from a moving vehicle, using a laptop or smartphone. Software for wardriving is freely available on the internet.

<span class="mw-page-title-main">Network interface controller</span> Hardware component that connects a computer to a network

A network interface controller is a computer hardware component that connects a computer to a computer network.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

<span class="mw-page-title-main">Captive portal</span> Web page displayed to new users of a network

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

<span class="mw-page-title-main">Wi-Fi hotspot</span> Wi-Fi access point

A hotspot is a physical location where people can obtain Internet access, typically using Wi-Fi technology, via a wireless local-area network (WLAN) using a router connected to an Internet service provider.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

<span class="mw-page-title-main">Nintendo Wi-Fi USB Connector</span> Discontinued wireless game adapter

The Nintendo Wi-Fi USB Connector is a wireless game adapter, developed by Nintendo and Buffalo Technology, which allows the Nintendo DS, Wii and 3DS users without a Wi-Fi connection or compatible Wi-Fi network to establish an Internet connection via a broadband-connected PC. When inserted into the host PC's USB port, the connector functions with the Nintendo DS, Wii, DSi and 3DS, permitting the user to connect to the Internet and play Nintendo games that require a Wi-Fi connection and access various other online services. According to the official Nintendo website, this product was the best-selling Nintendo accessory to date on 15 November 2007, but was discontinued in the same month. On September 9, 2005, Nintendo announced the Nintendo Wi-Fi Network Adapter, an 802.11g wireless router/bridge which serves a similar purpose.

Cisco NAC Appliance, formerly Cisco Clean Access (CCA), was a network admission control (NAC) system developed by Cisco Systems designed to produce a secure and clean computer network environment. Originally developed by Perfigo and marketed under the name of Perfigo SmartEnforcer, this network admission control device analyzes systems attempting to access the network and prevents vulnerable computers from joining the network. The system usually installs an application known as the Clean Access Agent on computers that will be connected to the network. This application, in conjunction with both a Clean Access server and a Clean Access Manager, has become common in many universities and corporate environments today. It is capable of managing wired or wireless networks in an in-band or out-of-band configuration mode, and Virtual Private networks (VPN) in an in-band only configuration mode.

Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.

A home server is a computing server located in a private computing residence providing services to other devices inside or outside the household through a home network or the Internet. Such services may include file and printer serving, media center serving, home automation control, web serving, web caching, file sharing and synchronization, video surveillance and digital video recorder, calendar and contact sharing and synchronization, account authentication, and backup services. In the recent times, it has become very common to run literally hundreds of applications as containers, isolated from the host operating system.

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network and a local area network or wide area network at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN (WLAN) NIC, and VPN client software application without the benefit of an access control.

The W3C Geolocation API is an effort by the World Wide Web Consortium (W3C) to standardize an interface to retrieve the geographical location information for a client-side device. It defines a set of objects, ECMAScript standard compliant, that executing in the client application give the client's device location through the consulting of Location Information Servers, which are transparent for the application programming interface (API). The most common sources of location information are IP address, Wi-Fi and Bluetooth MAC address, radio-frequency identification (RFID), Wi-Fi connection location, or device Global Positioning System (GPS) and GSM/CDMA cell IDs. The location is returned with a given accuracy depending on the best location information source available.

<span class="mw-page-title-main">AirPrint</span> Feature by Apple

AirPrint is a feature in Apple Inc.'s macOS and iOS operating systems for printing without installing printer-specific drivers.

The precise number of websites blocked in the United Kingdom is unknown. Blocking techniques vary from one Internet service provider (ISP) to another with some sites or specific URLs blocked by some ISPs and not others. Websites and services are blocked using a combination of data feeds from private content-control technology companies, government agencies, NGOs, court orders in conjunction with the service administrators who may or may not have the power to unblock, additionally block, appeal or recategorise blocked content.

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

References

  1. 1 2 Cardenas, Edgar D. "MAC Spoofing--An Introduction". GIAC Security Essentials Certification. SANS Institute. Retrieved 8 February 2013.
  2. "MAC Spoofing Attack: All You Need to Know in 6 Important points". 20 October 2020. Retrieved 10 November 2022.
  3. 1 2 "MAC Spoofing". Royal Canadian Mounted Police. Research and Development Section in Collaboration with the NCECC’s Technology Unit. Archived from the original on 23 June 2012. Retrieved 8 February 2013.
  4. Gupta, Deepak; Gaurav Tiwari (4 November 2009). "MAC SPOOFING AND ITS COUNTERMEASURES" (PDF). International Journal of Recent Trends in Engineering. 2 (4): 21. Retrieved 8 February 2013.
  5. 1 2 Indictment against Aaron Swartz
  6. 1 2 Vanhoef, Mathy; Matte, Célestin; Cunche, Mathieu; Cardoso, Leonardo S.; Piessens, Frank (30 May 2016). "Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms" (PDF). Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. pp. 413–424. doi:10.1145/2897845.2897883. ISBN   9781450342339. S2CID   12706713 . Retrieved 30 November 2022.
  7. Malinen, Jouni (15 February 2004). "ChangeLog for wpa_supplicant". w1.fi. Archived from the original on 8 November 2022. Retrieved 30 November 2022. add support for MAC address randomization in scans with nl80211
  8. "Kernel/Git/Torvalds/Linux.git - Linux kernel source tree".
  9. Change MAC Address: Use Public WiFi Signals Without Any Limits, Not To Mention Serious Privacy Benefits